SHV4, SHV5 Rootkit Installed

[ServerSurgeon]

A customer of mine called me today and told me he thought his Linux FC 2 system was hacked. His dedicated server provider informed him of DOS attacks originating from his machine going outbound to ports 53 and 6667 to varied IPs. Investigation revealed the server was compromised nearly two weeks ago. When I got on the box I ran top and ps, both of which gave me this odd output:

Unknown HZ value! (75) Assume 100.

Running rkhunter revealed that rootkits SHV4 and SHV5 had most likely been installed. Further investigation revealed the following files to have been modified or installed by the hacker:

/lib/libsh.so/shrs
/lib/libsh.so/shhk
/lib/libsh.so/shhk.pub
/sbin/ttymon
/sbin/ttyload
/sbin/ifconfig
/usr/lib/libsh/.sniff/shp
/usr/lib/libsh/.sniff/shsniff
/usr/lib/libsh/.bashrc
/usr/lib/libsh/shsb
/usr/lib/libsh/hide
/usr/sbin/lsof
/usr/bin/pstree
/usr/bin/find
/usr/bin/top
/usr/bin/dir
/usr/bin/slocate
/usr/bin/md5sum
/bin/ps
/bin/ls
/bin/netstat
/var/tmp/httpd

The files cannot be removed in any way. I've even tried copying unlink from an unaffected host but with no luck.

[root@XXXXXX]# ls -l /bin/ps
-rwxr-xr-x 1 122 114 62920 Jan 27 2005 /bin/ps
[root@XXXXXX]# /tmp/unlink /bin/ps
/tmp/unlink: cannot unlink `/bin/ps': Operation not permitted
[root@XXXXXX ]# chown root /bin/ps
chown: changing ownership of `/bin/ps': Operation not permitted

Adding a user to the system with UID 122 and trying to perform operations as that user avails nothing either. Perhaps someone here will know how to remove the files from the inode level. (We are going to re-image the server so we don't really need to delete the files, but as a Linux administrator it's very frustrating when you can delete a file as the root user). Or perhaps someone has had a similiar experience. Or perhaps the perpetrator will pick this up in a google search and get (in whatever weird, perverted way) the satisfaction he so desperately needs.

[Asticamper]

The command chattr can be used to change the fundamental attributes of the file. The attribut that has probably been set by the hacker is the immutable attribute, this will prevent the file from being deleted or moved.

Check out the man pages on chattr

This discussion group has a post describing how to scrub a system.
http://www.derkeiler.com/Mailing-Lis...1-10/0078.html

Personally, I would do what you are doing and just wipe the system clean.

By the way, how did you determine when the initial intrusion took place?

[anomie]

Personally, I would do what you are doing and just wipe the system clean.

I will second that. And get the rebuilt system up to date - I am not sure how the FC releases work exactly, but don't they have a newer "stable" version than FC2 by now?

You also might consider creating an image / backup of the compromised system. This will let you:
* Study it to try to determine how the compromise occurred.
* Determine whether important data may have been stolen or altered.
* Maintain evidence for potentially pressing charges.

If you do not back it up before wiping it clean you lose evidence and may or may not learn anything from the compromise.

[bigtomrodney]

I also support getting a new system up and running, but I would have to say if you need to modify these files try doing it with a live disc, where the system will be offline and you can work more easily.

Probably better that you rebuild, though kudos on locating the modified files.